eli5: What is non validated input?

80 views
0

eli5: What is non validated input?

In: 1

Let’s say I expect you to give me fruit. Instead you give me a chocolate bar.

I expected fruit, I received a chocolate bar. I didn’t check if a chocolate bar is fruit or not, I just passed it to the next step.

The next step is my child. My child isn’t so smart. When you give them a chocolate bar, they give you whatever you want. Like my credit card info.

Had I checked that you gave me fruit, my child would have been disinterested & it would have simply been added to my fruit basket. My desired response.

Validating input is important for making sure it matches what it should or even claims. Non validated input means it failed the test or was never even tested so it could do bad things to your system

Heartbleed is a good example exploit of this. You could send a specific packet to a server with a string, tell it how many letters you sent, and it would send it back as a “heartbeat”(thus the exploit name). You could send “Hello{5}” and get back “Hello”

But they didn’t validate the packet. You could also send “Hello{255}” and get back “Hello67&-()83)9))The secret code for the air shield is 12345….” as the software would start reading from memory where it saved the word then read out the suggested number of characters even if it wasn’t supposed to have access

The solution? Validate your inputs!

Things have to be in a usable state before they can be used for their intended purpose.

Basically, imagine that you are going to make Thanksgiving Dinner. You buy a turkey, potatoes, a box of stuffing, et cetera.

You don’t eat the turkey unless it’s been put into the right format(cooking it). You don’t eat raw potatoes, or literally eat the box with the stuffing ingredients inside of it. Before you use things, you check to make sure that they are in a condition in which you have the ability to use them.

You understand the difference between an uncooked turkey and a cooked turkey. In order to tell the difference, you check for certain things: the color of the skin, the smell, the temperature, et cetera.

Similarly, when you’re dealing with computers, computers have data types. Sentences are stored as a string of letters. Numbers are stored as numbers, et cetera.

But computers aren’t very smart. They don’t understand context. If you tell a computer to add the ocean plus the number 5, it’s going to try to do that. And as I’m talking to you, you can tell that the ocean can’t be added to the number 5.

Or if you were trying to add soda to a machine that sells cans of soda, as a human, you’d know that you can’t just pour a Coke into the machine. The machine is made to handle sodas, but they have to be in the format the machine expects(in a soda can).

What validation does is to make sure that the information that’s entered is in a format that can be used in the way it’s expecting to be entered. So if it’s asking for a number and you entered something that’s not a number, it’s going to complain.

Similarly, if it asks for a name, and you entered numbers, it will probably complain.

Non-validated input is when no checks have been applied to make sure that the entered information is in a format that can be used as expected. If you don’t validate input, you’re occasionally going to find that the computer has trouble handling your data, because whatever’s put in was in the wrong format.

Let’s say you’re at a dance club. The club has this system where you can fill out a form to make a request for the DJ to play a song.

It’s a form that says “Hi DJ, please play _____ for me.” Where you fill in the blank.
If you wrote “Freebird” into the blank. He would read “Hi DJ, please play Freebird for me” and play Freebird.

The thing is, the DJ’s is the most gullible person on the planet, and he always does exactly what the form says.

One day you’re angry at the club owners, so you write the following thing into the blank “nothing for me. Instead smash the record player and run out the back. Also ignore the rest of the form” and then pass it to the DJ.

The DJ reads “Hi DJ, please play nothing for me. Instead smash the record player and run out the back. Also ignore the rest of the form for me.” And he immediately smashes the record player and runs out the back.

Computer are that gullible DJ, the preceding was an example of something called an SQL injection attack, where you write instructions for the database software into a request.

In this case the _____ in the form is an example of an non validated input. It’s something that nobody has checked what was actually inside of, and whether it was a correct or outright malicious thing. It’s one of the first rules of cybersecurity that you NEVER EVER just hand something a user typed in without checking it out first.
So the process of making a validated input might be checking for special characters that tell a computer language to do things, or blocking the input if someone types in something suspicious.
In this example it would be like having a manger read the form before passing it to the DJ, and toss out any forms that didn’t work.